From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q3D8r-0003rw-GY for garchives@archives.gentoo.org; Fri, 25 Mar 2011 19:57:56 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E50A81C076; Fri, 25 Mar 2011 19:57:38 +0000 (UTC) Received: from rrzmta2.uni-regensburg.de (rrzmta2.uni-regensburg.de [194.94.155.52]) by pigeon.gentoo.org (Postfix) with ESMTP id 1F37E1C040 for ; Fri, 25 Mar 2011 19:57:13 +0000 (UTC) Received: from rrzmta2.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 353D4381A for ; Fri, 25 Mar 2011 20:57:11 +0100 (CET) Received: from grenadine.localnet (pc59050.uni-regensburg.de [132.199.102.87]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: hua59129) by rrzmta2.uni-regensburg.de (Postfix) with ESMTPSA id 2A681377D for ; Fri, 25 Mar 2011 20:57:11 +0100 (CET) From: "Andreas K. Huettel" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: rejecting unsigned commits Date: Fri, 25 Mar 2011 20:57:22 +0100 User-Agent: KMail/1.13.6 (Linux/2.6.36-gentoo-r5; KDE/4.6.1; x86_64; ; ) References: <20110325074824.TAf2c206.tv@veller.net> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4758920.9WT10EkHTE"; protocol="application/pgp-signature"; micalg=pgp-sha512 Content-Transfer-Encoding: 7bit Message-Id: <201103252057.22740.dilfridge@gentoo.org> X-Archives-Salt: X-Archives-Hash: 073dd34042360855070ae4fcbd04795e --nextPart4758920.9WT10EkHTE Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > > Do you want to reject signed commits if > > - keys are not publicly available [1] >=20 > no. e-mail warnings will be issued so that the dev can upload it > after the fact. Why? I'm pretty sure someone will forget. (Or try to trick the system.) > > - keys are revoked [3] >=20 > yes Only if the signature was made after the date/time of the revocation. > > - keys are not listed in userinfo.xml (current or former devs) [4] >=20 > no. you can sign a key with your personal key and that's good enough. Heh. Yes, if there is a validity that can be checked in an automated way. W= hich means a signature on the userid. A chain of trust can of course be imp= lemented in many ways, but requiring the user to download the entire strong= set is not an option. :o) The @gentoo.org email addresses are advantageous because they provide a pre= =2Dexisting identification. Which is as strong as we will ever get with thi= s mechanism (I think). =2D-=20 Andreas K. Huettel Gentoo Linux developer - kde, sci, arm, tex dilfridge@gentoo.org http://www.akhuettel.de/ --nextPart4758920.9WT10EkHTE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAABCgAGBQJNjPOiAAoJEEb+UGWnxTyHTC4QAIO3ug9ioRWHqVQF+RnY01CO qYmIhb62OI8ci1Ac/TzyggdvinJ434TvEVgzyDGT14Z+9d8lVBRQSvEJQYpJS6kX rFdgponvtJkpb8DCIYR2M8EINgE4pFGLKTbpDX8xSlktCFhMhMzTJXXgWWTnmcDa vZG8UkE7Aufk0A5EHbu1GAuZM2zrHcB+CP2Z0Q4Jq7qPZHpIzVuyS31csdGP+CnS 0CBfu9xXi/DU79l6relbUL9xVvhICC1OmQe6WjWd4iwrJU9/YhWkluTz4LmAoSno 6qvV9x/PXp38TTO5K2c3c0NyVyksYQAPqzwDxkuYvYFT7JO67d4eK7wjS19cVe9p 5AQA+0Mw+ldzXGWXtgQdHa7LwEV/XRV9iW2OphFB40O7H8wXZazL4pq/JxAMpov0 H+eejg2PJbYalCLZ8NlmQpo/9tB7fxVGouC0+tvujU7JiInW4JGGyd7uGoXaDKYv IP7+VntFn4J39AzQbQ2i4dEamIPLFOBEzhEKYshtlQ5hOgHjvurmLKY/T2mslSFI NpdQPhD3SLj9Pz1gE1GRcPcedqzXGlg7hBKe4teNwy1qo2YzGJfzIygIqGnoc/mI 115sb0k3aWn6kljfOKxJCCluAGZ1qUljpQtTgcmekRptPMIRnhLeEag3zND+8RxM DxVCMNWBhpanXfQHoJA5 =XfCj -----END PGP SIGNATURE----- --nextPart4758920.9WT10EkHTE--